You have an Azure subscription that contains 10 network security groups (NSGs), 10 virtual machines, and a Log Analytics workspace named Workspace1. Each NSG is connected to a virtual machine.
You need to configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected.
What should you do first?
To configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected, the first step is to configure NSG flow logs. NSG flow logs provide essential information about traffic that is allowed or denied by the Network Security Group, which enables the monitoring and analysis of network traffic. This is crucial for identifying and alerting on any suspicious network activity.
To configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected, you should first configure NSG flow logs. NSG flow logs provide information about traffic that is allowed or denied by an NSG. By configuring NSG flow logs, you will be able to monitor the traffic passing through your NSGs and detect any suspicious activity.
I think D is correct. https://learn.microsoft.com/en-us/azure/network-watcher/network-insights-overview#traffic The Traffic tab provides access to all NSGs configured for NSG flow logs and Traffic Analytics for the selected set of subscriptions, grouped by location.
Also https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview " Identify unknown or undesired traffic." in Common use cases
Mlantonis where are you!!
Hmmm...not often I disagree with 100% vote but here goes: The question specifically says there is a Log Analytics workspace named Workspace1. A Log Analytics Workspace is used for Connection Monitor, NOT NSG Flow Logs, which use a storage account instead. NSG Flow Logs: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#read-and-export-flow-logs) Connection Monitor: https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview#data-collection-analysis-and-alerts) So answer is A
D is the one that can help to identify "wrong" traffic. Connection Monitor is doing what it say - monitor. That means, it monitor a "known" connection - aka from IP1 to IP2 port xx. Will not be aware about any suspicious connection between VMs.
here is the link for connection monitor -> https://learn.microsoft.com/en-us/azure/network-watcher/monitor-vm-communication
D is the answer. https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#why-use-flow-logs It is vital to monitor, manage, and know your own network for uncompromised security, compliance, and performance. Knowing your own environment is of paramount importance to protect and optimize it. You often need to know the current state of the network, who is connecting, where they're connecting from, which ports are open to the internet, expected network behavior, irregular network behavior, and sudden rises in traffic.
the correct answer is D. Configure NSG flow logs
Reluctantly, I have to agree that Flow Logs looks more correct. The Log Analytics Workspace bit would appear to be a red herring.
Traffic Analytics: Analyzes Network Watcher - NSG flow logs to provide insights into traffic flow in your Azure cloud. Requires >> Network Watcher, (NSG) flow logs enabled, Storage account, to store raw flow logs, Log Analytics workspace, with read and write access.
OpenAI "The correct answer is D. Configure NSG flow logs. To configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected, you need to enable NSG flow logs for each NSG that is connected to a virtual machine. NSG flow logs capture information about inbound and outbound traffic flowing through an NSG. Once NSG flow logs are enabled, you can use Azure Monitor to analyze the logs and create alerts for suspicious traffic patterns. Therefore, the first step is to configure NSG flow logs. Option A, B, and C are not directly related to configuring an Azure Monitor Network Insights alert for detecting suspicious network traffic. Connection Monitor is used to monitor connectivity to Azure resources. Configuring data collection endpoints is related to collecting data from various sources, and configuring a private link is used to securely access Azure services over a private connection."
My vote is D - NSG Flow logs. The question mentioned suspicious activity and that’s what flow logs are for. Who’s connecting from where and other behaviors. https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
Connection Monitor is for latency and network issue with IaaS device over a period of time. Data collection rule is only for VM
Correct answer: D To configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected, you should first configure NSG flow logs. NSG flow logs provide information about traffic that is allowed or denied by an NSG. By configuring NSG flow logs, you will be able to monitor the traffic passing through your NSGs and detect any suspicious activity. You can use them for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions, and more. Reference: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#why-use-flow-logs
D is right
D is correct